Confidentiality Policy

FOREWORD

This Confidentiality Policy is for you, as the USER of the www.magicstay.com WEBSITE (hereinafter the “WEBSITE”) and its purpose is to tell you how your personal information may, if necessary, be collected and processed by MAGIC STAY.

MAGIC STAY makes your privacy and the protection of your personal data a priority. The purpose of this Confidentiality Policy is to present the content of the personal data processing implemented on the WEBSITE.

MAGIC STAY undertakes in any event to comply with the following two (2) key principles:

- You keep control of your personal data;

- Your data are processed in a transparent, confidential and secure manner.

- Since 25 May 2018: by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter “GDPR”).

In the event of a translation of these general terms and conditions into one or more languages, the language of interpretation shall be French in the event of a contradiction or dispute as to the meaning of a term or provision.

ARTICLE 1. DEFINITIONS

LESSOR: refers to any natural or legal person under private law who or which has subscribed to the SERVICES by registering on the WEBSITE and is offering accommodation for rent advertised online by MAGIC STAY on the WEBSITE. It is understood that a LESSOR can be either a professional or a private individual acting as a consumer.

JOINT CONTROLLER: refers to the cases where several entities are responsible for processing the personal data collected on the WEBSITE and determine together the purposes for which and the manner in which any personal data are processed.

MEMBER AREA: refers to the dedicated virtual area on the WEBSITE for LESSORS AND LESSEES to search for accommodation, post advertisements online and access their bookings and invoices. The MEMBER AREA is accessed by using the login credentials.

LESSEE: refers to the natural or legal person, acting in a professional capacity, who or which is renting accommodation following a booking on the WEBSITE.

DATA CONTROLLER: refers to the entity which, alone or jointly with another entity, determines the purposes for which and the manner in which any personal data are processed.

SERVICES: refers to all of the SERVICES provided by MAGIC STAY to the USERS through the WEBSITE. These SERVICES include:

The provision of the WEBSITE’S various functionalities

The “TRAVEL INSURANCE” SERVICE

The “MAGIC-FLEX” SERVICE

WEBSITE: refers to the internet site accessible at www.magicstay.comincluding all the hosted web pages and SERVICES offered to the USERS.

SUB-CONTRACTOR:refers to the person processing personal data on behalf of the DATA CONTROLLER, who acts under the authority of the DATA CONTROLLER and upon its instructions

USER:refers to any person who accesses and browses the WEBSITE.

ARTICLE 2. FRENCH DATA PROTECTION AUTHORITY (CNIL) FORMALITES

The processing of your personal data is the subject of processing records which are inserted into MAGIC STAY’s register of processing operations.

ARTICLE 3. PURPOSES OF PROCESSING

Your various data may be collected by MAGIC STAY in order to ensure that:

- The WEBSITE, its services and its functionalities function correctly and continually improve

- The SERVICES are provided

- Information is sent to the inbox of registered Internet users

- Statistical monitoring of the use of the WEBSITE and its different sections is implemented

- Better knowledge is obtained of the Internet users to respond to their needs and requests in the best way possible by e-mail or by telephone

- The newsletter and other alerts are sent to those Users who have requested them

- Right of access, rectification and opposition requests are handled

These purposes are set out in detail in Articles 4, 5 and 6 of this Confidentiality Policy.

MAGIC STAY shall also be authorised to use such data in order to fulfil a legal or statutory obligation.

In any event, and for each defined purpose, MAGIC STAY shall do everything in its power to ensure the security and the confidentiality of the personal data entrusted to it, in compliance with current laws and regulations.

ARTICLE 4. ACCESS TO THE PLATFORM, INTERMEDIATION AND SERVICE PROVISION

4.1. Data controller’s identity

Within the context of the provision of the WEBSITE, the intermediation with the LESSORS and LESSEES and the provision of the SERVICES, MAGIC STAY should be considered as the data controller.

For more information

If you have any questions about the management and the use made of your personal data, please contact us:

Legal reminder: under the French Data Protection Act, the DATA CONTROLLER is the person who determines the purposes for which and the manner in which any personal data are processed. When two or more data controllers jointly determine the purposes for which and the manner in which any personal data are processed, they are joint data controllers(or joint controllers).

4.2. Collection and processing of personal data

As part of the WEBSITE operation, MAGIC STAY may collect personal data about the USERS when they visit the WEBSITE. Such data are processed in accordance with the purposes stated at the time of collection.

MAGIC STAY may, in particular, collect personal data:

- When a USER wants to be able to access the WEBSITE-related SERVICES

- When you visit the WEBSITE

- When you use functionalities and/or SERVICES offered on the WEBSITE

- When you register and during the creation and updating of your MEMBER AREA

- When interacting with MAGIC STAY via the WEBSITE

- When you make a contact request to MAGIC STAY

Furthermore, data about your browsing on our Internet site may also be used to target your needs and interests and to target our commercial and advertising offers accordingly.

Irrespective of the collection method, MAGIC STAY undertakes to inform you of the purposes of the processing, the obligatory or optional nature of the answers to be provided, any consequences, for you, of your failure to reply, the recipients of the data, and the existence of and procedures for exercising your rights of access, rectification and opposition to the processing of your data.

When it is required under the French Data Protection Act, MAGIC STAY undertakes, as the case may be, to obtain your consent and/or allow you to object to the use of your data for certain purposes.

More details & legal basis

In any event, MAGIC STAY undertakes to process all of the data collected in accordance with the French Data Protection Act No.78-17 of 6 January 1978 as amended, which defines PERSONAL DATA as “any information relating to an identified or identifiable natural person, directly or indirectly, by reference to an identification number or to one or more factors specific to that natural person. To determine whether a person is identifiable, account should be taken of all the means for enabling him or her to be identified which the data controller or any other person has or may have access to”.

You can find out more details about how the cookies which let us achieve this purpose are managed in our Cookie Management Charter

4.3. Consent

As data controller, MAGIC STAY must obtain the WEBSITE USERS’ consent to collect and process their personal data.

In accordance with the provisions in force, the USER’s consent must be informed, unambiguous and freely given for each designated purpose. It is given through a statement or a positive action, which is equivalent to the USER’s agreement to the processing of his personal data.

To be specific, any USER whose data are collected for the aforementioned purposes has:

- Either given his consent when he requested access to the SERVICES offered by the WEBSITE

When you open or manage your MEMBER AREA on the WEBSITE, you fill in various forms and communicate your various personal data in order to receive all the services offered by MAGIC STAY.

All of your data are collected directly from you only, when you register, when you place orders, when you log in and during our interactions (online requests, mail, telephone calls, etc.).

Furthermore, data about your browsing on our Internet site may also be used to target your needs and interests and to target our commercial and advertising offers accordingly.

In any event, you are informed of the purposes for which your data are collected by us via the different online data collection forms, your MEMBER AREA or via our Cookie Management Charter

When necessary, MAGIC STAY undertakes, as the case may be, to obtain your consent and/or allow you to object to the use of your data for certain purposes, like, for example, the possibility of sending you marketing communications or putting third-party cookies on your terminals (mobile telephone, computer, tablet) to measure the audience of our website and our application and to offer you commercial offers and targeted advertisements according to your interests.

5.2. Data controllers' identity

In connection with the SERVICES, MAGIC STAY collects and processes personal data relating to the LESSORS. All of the LESSOR’S data shall be processed in accordance with the aforementioned purposes.

b) For LESSEES’ data

In connection with the aforementioned purposes, MAGIC STAY and the LESSOR shall be joint controllers under Article 26 of the GDPR.Indeed, they shall have to collect and process the personal data of the LESSEES on the WEBSITE in order to perform the services.

In this respect, MAGIC STAY and the LESSOR guarantee that they shall process such data in compliance with the rights and obligations arising from the French Data Protection Act.

It is therefore expressly agreed by the PARTIES that MAGIC STAY and the LESSOR as joint controllers, shall do everything in their power to ensure the security and the confidentiality of the personal data entrusted to them.

- A copy of an identity document may be kept as proof for the exercise of a right of access, rectification or opposition or to meet a legal requirement.

- Data related to the monitoring of the business relationship: requests for documentation and trials, quantities, amounts, frequency, delivery address, order history, purchases and service provision, product returns, possibly, origin of the order or the sale, correspondence with the customer and after-sales service, interaction with and feedback from customers and prospects, person/people in charge of customer relations

- Data related to the organisation and processing of competitions, lotteries and any promotional operations such as the date of participation, the answers given to competitions and the nature of the prizes offered

- Data related to your browsing on our website via cookies

5.3. Consent

It is necessary to collect and process the USER’s personal data in order to perform a SERVICE. In view of the fact that the USER has chosen to order the performance of a SERVICE, there is no need for the LESSOR or MAGIC STAY to require the USER’s consent, it being necessary for the performance of the SERVICE.

ARTICLE 6. REGARDING PAYMENT DETAILS

6.1. Regarding the collection and processing of payment details

The term “payment details” applies to:

- The details of the payment methods used by the LESSEE on the WEBSITE for purchasing a SERVICE offered by MAGIC STAY, the relevant account and payment details, such as the account number, bank card number, expiry date and name of the account holder

- The data concerning the result of the transaction, such as the transaction number and the order enumeration

These data are collected by MAGIC STAY, via the software solution implemented on the WEBSITE, during the ordering process. They are then stored on a secure server and some of them are forwarded to the LESSOR.

It is expressly acknowledged that MAGIC STAY and the other data processing stakeholders:

- Shall not proceed with data processing which would be incompatible with the specified purposes

- Shall take all technical and organisational measures to ensure the security and the confidentiality of the LESSEE’s personal data.

6.2. Purposes of the processing

LESSEES wishing to be provided with a SERVICE must use the payment services.

The payment services necessary to the WEBSITE are provided by PAYBOX, which processes LESSEES’ transactions and transfers the amounts to MAGIC STAY.

Consequently, PAYBOX, the LESSOR and MAGIC STAY must process the LESSEES’ data for:

- The provision of payment services

- The conducting of audit procedures

6.3. Status of stakeholders

PAYBOX should be considered as the data controller for the processing of data related to SERVICE payment management.

MAGIC STAY, which processes some of the LESSOR’s data as part of the provision of payment services, should be considered as joint controller for the processing of data related to the result of the transaction and invoice payment.

For more information

If you have any questions about the management and the use made of your personal data, please contact us:

Legal reminder: Under the French Data Protection Act, THE DATA CONTROLLER is the person who determines the purposes for which and the manner in which any personal data are processed. When two or more data controllers jointly determine the purposes for which and the manner in which any personal data are processed, they are joint data controllers (or joint controllers).

6.4. Consent

The customer’s personal data must be processed to carry out the payment for the SERVICE. As the LESSEE has chosen to order the performance of the SERVICE, MAGIC STAY shall not have to ask for its consent, it being necessary for the performance of the supply contract for the related payment services.

Furthermore, PAYBOX processes the customer data necessary for combating fraud, the financing of terrorism and money-laundering under a legal obligation that falls to it as an approved payment institution.

6.5. Payment data retention period

Except as provided for in the following paragraphs, the bank details shall no longer be kept once the transaction has been performed by MAGIC STAY, that is, once full payment has been received for the desired booking.

It should be specified that for payments made by bank cards, such data may be stored in temporary files to serve as proof if the transaction is contested, for a period of thirteen (13) months (or fifteen (15) months if the payment is deferred) from the date the debit is made. In any event, the security code is not stored and the bank details are deleted after the expiry of the date indicated above.

ARTICLE 7. DATA RECIPIENTS

Only the people mentioned below may have access to the USERS’ data:

- Authorised personnel from MAGIC STAY’s different departments (marketing, sales, administration, logistics and IT, those responsible for customer relations and prospecting and those responsible for auditing)

- Authorised personnel of subcontractors (if there are subcontractors)

Your data are not communicated, exchanged, sold or leased to anyone other than those people mentioned above.

ARTICLE 8. DATA RETENTION PERIOD

MAGIC STAY undertakes to ensure that the data collected are retained in a form that allows you to be identified for a period not exceeding the period necessary for the purposes for which such data are collected and processed.

However, data processing is possible for proof of a right or a contract. Such data may also be retained in order to comply with a legal obligation or kept in files in accordance with the applicable laws and regulations.

By way of exception, the USER’s identification data are retained by MAGIC STAY for a period of three (3) years as of the closure of the MEMBER AREA or the last contact with the USER. The LESSORS’ data are retained for the entire duration of the contractual relationship.

As for the cookies referred to in Article 10 of this Confidentiality Policy, it is specified that the information stored on your terminal (e.g. cookies) or any other element used to identify you for the purposes of audience statistics are not retained beyond a period of thirty-six (36) months. After this period, the raw visitor data associated with a username are either deleted or anonymised.

Finally, to ensure that the WEBSITE and its functionalities function properly and continually improve, the raw visitor data associated with a username are retained for a period of thirteen (13) months. After this period, they are deleted or anonymised.

MAGIC STAY retains USERS’ personal data for a period which does not exceed the time required for the completion of the intended purpose.

For more information

For the management and follow-up of your contracts, orders, deliveries and invoices

Your data are retainedfor the entire term of the contract.

Your data are stored for five (5) years for providing proof. Your invoices and accounting data are retained for a period of ten (10) years.

In the absence of an appropriate contract, your data are retained for a period of three (3) years from the day they are collected or the day of your last contact with us.

For bank details data

In principle, your payment data are deleted once the transaction has been performed, then archived / stored for a period of thirteen (13) months after the transaction date.

For marketing purposes

If you are a customer: three (3) years from the end of the business relationship.

If you are not a customer yet: three (3) years from the day you last made contact with us.

Your data are then stored for a period of five (5) years, for the purposes of proof, in accordance with the provisions in force (French Insurance Code, Mutuality Code, Commercial Code, Civil Code, Consumer Code, Domestic Security Code, etc.)

For your identity documents

1 year in the case where you exercise your right of access or rectification

3 years in the case where you exercise your right of opposition

For audience and statistics measurements

36 months, then your data are deleted or anonymised

To ensure that our WEBSITE functions properly and continually improves

13 months, then your data are deleted or anonymised.

ARTICLE 9. YOUR RIGHTS

In accordance with the French Data Protection Act and with the GDPR, you have the following rights:

The right to block or erase your personal data (Article 17 GDPR), when they are inexact, incomplete, ambiguous, no longer valid or if their collection, use, communication or retention is prohibited (find out more)

The right to data portability for the data you have provided us with, when your data are subject to automated processing based upon your consent or upon a contract (Article 20 GDPR)

The right to define the fate of your data after your death and to choose whether or not we communicate your data to a third party previously designated by you (find out more).

In the event of your death and failing instructions from you, we undertake to destroy your data, unless they need to be retained for purposes of proof or to fulfil a legal obligation.

These rights may be exercised, by simple request sent by email todpo@magicstay.comor by sending a letter to MAGIC STAY, 7 avenue Michel Chevalier – 06130 GRASSE, stating your contact details (surname, first name, address) and providing a legitimate reason as justification when this is required by law (particularly in the case of objecting to the processing).

Where you have forwarded a copy of a form of identification to prove your identity, we shall retain it for one (1) year or three (3) years when it has been forwarded in the context of the exercise of a right of opposition.

To learn more about your rights, you can also consult the French Data Protection Authority's website at the following address: http://cnil.fr.

By browsing the WEBSITE, you agree to MAGIC STAY installing this type of cookie known as “technical” cookies, the sole purpose of which is to allow or facilitate the electronic communication of your terminal equipment with our website, facilitating management and browsing on it.

Our access to the information stored on your terminal equipment or the registration of information in it shall only take place in the following cases:

- To allow or facilitate electronic communication

- When it is necessary for the provision of our service

As for the other data, you can exercise your right to access these login data either by sending an email requesting to do so to dpo@magicstay.comor by sending a letter to MAGIC STAY, 7 avenue Michel Chevalier – 06130 GRASSE.

If your browser allows you to, you can disable these cookies at any time by following the procedure specified by said browser. However, MAGIC STAY advises you that disabling the cookies may result in slowing down and/or disrupting access to the WEBSITE.

Furthermore, MAGIC STAY informs you that it uses the services of Google Analytics to measure the WEBSITE’s audience.You can refuse to have your browsing on the website monitored by the Google Analytics tool by downloading the Google Analytics Opt-out Browser add-on for your current browser on the WEBSITE from the following address: http://tools.google.com/dlpage/gaoptout?hl=fr.

In any event, the information stored on your terminal (e.g. cookies) or any other element used to identify you for the purposes of audience statistics are not retained beyond a period of thirty-six (36) months.After this period, the raw visitor data associated with a username are either deleted or anonymised.

To learn about the nature of the cookies and other trackers implemented on the WEBSITE, USERS are invited to consult the MAGIC STAY Cookies Charter provided for this purpose and available at the following address [link].

ARTICLE 11. CONTACT DETAILS OF THE DATA PROTECTION OFFICER

Our Data Protection Officer is here to answer any inquiries, including the exercising of rights, relating to your personal data.

You can contact him either via this contact form,or by email at dpo@magicstay.com or by sending a letter to MAGIC STAY, 7 avenue Michel Chevalier – 06130 GRASSE.

ARTICLE 12. SECURITY

MAGIC STAY and any of its subcontractors undertake to implement every technical and organisational measure to ensure that our processing of personal data and the confidentiality of your data are secure, in accordance with the French Data Protection Act and the EU regulation on data protection (GDPR) and Law No.2018-133 of 26 February 2018 “bringing a number of provisions into line with EU law in the field of security”.

As such, MAGIC STAY shall take all necessary precautions, in view of the nature of your data and the risks presented by our processing, to preserve data security and, in particular, prevent them from being corrupted, damaged or accessed by any unauthorised third parties (physical protection of the premises, authentication procedure for our customers with personal and secure access via confidential usernames and passwords, logging of connections, encryption of certain data, etc.).

ARTICLE 13. TRANSFERT OUSIDE THE EU

As part of its activities, MAGIC STAY is required to transfer USERS’ data outside the European Union.

MAGIC STAY informs the USERS, stating the steps taken to monitor this transfer and ensure that their data is kept confidential.